Currently, fraud is one of the greatest threats to our private information. And it can also create doubt within the infrastructure. So it is fitting, when transmitting, that data’s originality and its sender are verified. This process falls under nonrepudiation.
There are two parts to non-repudiation; hashing and signing.
Hashing uses an algorithm, like MD5, to generated a fixed value for a piece of data. This value drastically changes with any alterations. Therefore, comparing an older fixed value to a later one can verify the corresponding data’s originality.
Let us look at an example of hashing: Jim wants to send a document to Bill. He also wants Bill to check for unauthorized changes (man-in-the-middle). Jim then creates a hash and sends it separately from the document. Bill, who now has both Jim’s hash and document, creates a new hash and compares them. If the two hashes are identical, the conclusion is that document was not altered.
Signatures are used when verifying identity. But, online, someone can pretend to be someone else or even go as far to claim impersonation. So how can we prove that the person, we are talking to, is who they claim to be?
With online transactions, nonrepudiation can be accomplished with digital signatures. This is done through a public key infrastructure (PKI) which generates asymmetric keys. But, instead of using public keys to encrypt and private keys to decrypt, with digital signatures the private keys sign and the public keys validate. This process is used for creating certificates which are implemented by web browsers when verifying websites.
So, nonrepudiation provides credibility by using hashing and signing. But, this is only one of many steps when securing our communications. And, so the quest for better security, continues.